Information Processing Policy, Personal Data Processing, and Information Security at Conservas Delcasino S.A.S.

1. OBJECTIVE

Promoted by CONSERVAS DELCASINO SAS, a company with its main address at Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia, and Tax ID No. 830053180-6, with email addresses: lider.admon@salsasdelcasino.com, asistenteadmon@salsasdelcasino.com, website:www.alimentosdelcasino.com, and telephone numbers 601 487 3232 – 601 487 2551 – 316 626 5290, respect and proper handling in the PROCESSING OF INFORMATION AND THE PROCESSING OF PERSONAL DATA, in compliance with current legal regulations, in particular Law 1266 of 2008" which establishes the general provisions of habeas data," Law 1581 of 2012"which establishes general provisions for the protection of personal data," its Regulatory Decrees, and other laws, decrees that add to, modify, or complement them.

For the proper development of its corporate purpose , CONSERVAS DELCASINO SAS, and as the entity responsible for the processing of personal data, collects, stores, uses, circulates, and deletes personal data corresponding to individuals with whom it has or has had a relationship, such as, without limitation, employees and their families, shareholders, consumers, customers, distributors, suppliers, creditors, debtors, and in general, anyone with whom it has any type of relationship, whether employment, civil, or commercial.

Therefore, we reiterate the importance of complying with the procedures established in current regulations for the processing of information and personal data, thereby promoting a culture of respect and proper handling of information within the company.

2. PRINCIPLES

Principle of freedom: Processing may only be carried out with the prior, express, and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.

Principle of restricted access and circulation: Processing is subject to the limits derived from the nature of personal data, the provisions of this law, and the Constitution. In this regard, processing may only be carried out by persons authorized by the owner and/or by the persons provided for in Law 1581 of 2012. In this regard, Access to personal data shall only be permitted to the following persons: 

• To the data owner.
• To persons authorized by the data owner.
• Persons who are authorized by law or court order to access the information of the data subject. 

Security principle: Information subject to processing by the data controller or data processor referred to in Law 1581 of 2012 must be handled with the technical, human, and administrative measures necessary to ensure the security of the records, preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access.

Principle of confidentiality: All persons involved in the processing of personal data that is not public in nature are obliged to guarantee the confidentiality of the information, even after their relationship with any of the tasks involved in the processing has ended, and may only supply or communicate personal data when this corresponds to the performance of the activities authorized in this law and under the terms thereof.

Principle of non-discrimination: Any act of discrimination based on information collected in databases or files is prohibited. 

Principle of accuracy or quality of records or data: The information contained in databases must be accurate, complete, precise, up-to-date, verifiable, and understandable. The recording and disclosure of partial, incomplete, fragmented, or misleading data is prohibited.

Principle of purpose: The administration of personal data must comply with a legitimate purpose in accordance with the Constitution and the law. The purpose must be communicated to the owner of the information prior to or at the same time as authorization is granted, when necessary, or in general whenever the owner requests information in this regard.

Principle of temporary nature of information: The data subject's information may not be provided to users or third parties when it no longer serves the purpose of the database.

3. SCOPE

This policy applies to all owners of personal information that is used and/or stored in the databases of CONSERVAS DELCASINO SAS and all those who act as data controllers.

This policy must be strictly complied with by all CONSERVAS DELCASINO SAS employees , contractors , and third parties acting on behalf of the company, in order to ensure the proper handling and processing of personal data during its collection, storage, use, circulation, or deletion. Failure to comply with this Policy will result in labor sanctions or contractual liability, as applicable. This Personal Data Protection Policy shall apply to all Databases and/or Files containing Personal Data that are subject to Processing by CONSERVAS DELCASINO SAS.

4. DEFINITIONS

For greater clarity on the concepts related to personal data protection regulations, it is necessary to understand the following definitions contained in Law 1266 of 2008, Law 1581 of 2012, and their complementary regulations, Regulatory Decrees, as follows:

1. Authorization: Prior, express, and informed consent of the Owner to carry out the Processing of personal data.
2. Privacy Notice: Physical, electronic, or any other format document generated by the controller and made available to the Data Subject for the processing of their personal data. The Privacy Notice informs the Data Subject of the existence of the information processing policies that will apply to them, how to access them, and the purpose of the intended processing of personal data.
3. Database: Organized set of personal data that is subject to processing.
4. Personal data: Any information linked to or that can be associated with one or more specific or identifiable individuals.
5. Public data:Data that is not semi-private, private, or sensitive. Public data includes, among other things, data relating to a person's marital status, profession or trade, and status as a merchant or public servant. By its nature, public data may be contained, among other things, in public records, public documents, official gazettes and bulletins, and duly enforced court rulings that are not subject to confidentiality. 
6. Sensitive data:Sensitive data is understood to be data that affects the privacy of the Data Subject or whose misuse may lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, membership in unions, social organizations, human rights organizations, or that promote the interests of any political party or guarantee the rights and guarantees of opposition political parties, as well as data relating to health, sex life, and biometric data. 
7. Data Processor: Natural or legal person , public or private, who, alone or in association with others, processes personal data on behalf of the Data Controller.
8. Source of information: The person, entity, or organization that receives or becomes aware of personal data belonging to the data subjects, by virtue of a commercial or service relationship or any other type of relationship, and which, by virtue of legal authorization or authorization from the data subject, provides that data to an information operator, who in turn will deliver it to the end user. If the source delivers the information directly to users and not through an operator, it will have the dual status of source and operator and will assume the duties and responsibilities of both. The source of the information is responsible for the quality of the data provided to the operator, which, as soon as it has access to and provides personal information of third parties, is subject to compliance with the duties and responsibilities provided for to guarantee the protection of the rights of the data owner. 
9. Information operator: An information operator is defined as the person, entity, or organization that receives personal data about various data subjects from the source, manages it, and makes it available to users under the parameters of this law. Therefore, as soon as the operator has access to the personal information of third parties, they are subject to compliance with the duties and responsibilities established to guarantee the protection of the rights of the data subject. Unless the operator is the source of the information itself, they have no commercial or service relationship with the data subject and are therefore not responsible for the quality of the data provided to them by the source.
10. Data Controller: Natural or legal person , public or private, who, alone or in association with others, decides on the database and/or the processing of the data; person who decides on, among other things, the collection and purposes of the processing. 
11. Data subject: The natural or legal person to whom the information stored in a database refers and who is subject to the right of habeas data and other rights and guarantees referred to in Law 1266 of 2008.
12. Transfer:Data transfer occurs when the controller and/or processor of personal data, located in Colombia, sends the information or personal data to a recipient, who is also a controller and is located inside or outside the country.
13. Transmission:Processing of personal data that involves the communication of such data within or outside the territory of the Republic of Colombia when the purpose is for the Processor to carry out processing on behalf of the Controller.
14. Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, circulation, or deletion.
15. User: The user is the natural or legal person who, under the terms and circumstances provided for by law, may access personal information belonging to one or more data subjects, provided by the operator or source, or directly by the data subject. The user, insofar as they have access to the personal information of third parties, is subject to compliance with the duties and responsibilities provided for to guarantee the protection of the rights of the data owner. In the event that the user in turn provides the information directly to an operator, they will have the dual status of user and source, and will assume the duties and responsibilities of both; 

5. NATIONAL DATABASE REGISTRY

With the prior approval of the Legal Representative, the Personal Data Processing Officer of CONSERVAS DELCASINO SAS shall be responsible for registering and updating the databases created with the Superintendency of Industry and Commerce within two (2) months of their creation . Similarly , they shall update the information already provided whenever there are substantial changes in said databases. 

The registration of databases will be carried out in the National Database Registry, accompanied by this Policy, and will be done independently for each of the existing databases that contain personal data subject to processing.

The information provided in the National Database Registry will be as follows: 

1. Identification, location, and contact details of the person responsible for processing the database.
2. Identification, location, and contact details of the person or persons responsible for processing the database.
3. Channels for rights holders to exercise their rights.
4. Name and purpose of the database.
5. Method of processing the database (manual and/or automated), and
6. Information Processing Policy.

6. PURPOSE FOR WHICH PERSONAL DATA IS COLLECTED

CONSERVAS DELCASINO SAS may use personal data for the following purposes:

1. Verification of information and prevention of money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction, behaviors that put the company at legal risk and jeopardize its image, name, and reputation, with possible criminal implications. Compliance is mandatory for all employees, suppliers, customers, partners, and other business allies.
2. Compliance MANUAL SAGRILAFT – SYSTEM FOR SELF-CONTROL AND COMPREHENSIVE RISK MANAGEMENT LA/FT/FPADM AND REPORTING OF SUSPICIOUS TRANSACTIONS TO THE UIAF – PTEE PROGRAM FOR TRANSPARENCY AND BUSINESS ETHICS CONSERVAS DELCASINO SAS.
3. Execute the existing contractual relationship with its customers, suppliers, and employees, including the payment of contractual obligations. 
4. Provide the services and/or products required by its users.
5. To inform about new products or services and/or changes to them.
6. Evaluate service quality.
7. Send commercial, advertising, or promotional information about products and/or services, events, and/or commercial promotions to physical mail, email, cell phones, or mobile devices via text messages or any other analog and/or digital means of communication created or to be created, in order to promote, invite, direct, execute, inform and, in general, carry out advertising campaigns or promotions undertaken by the Company.
8. Develop the selection, evaluation, and employment process.
9. Support internal or external audit processes.
10. Record information on employees and/or retirees (active and inactive) in the Company's databases.

7. RIGHTS YOU HAVE AS THE OWNER OF PERSONAL DATA

1. To know, update, and rectify your personal data before those responsible for processing or those in charge of processing. This right may be exercised, among others, in relation to partial, inaccurate, incomplete, fragmented, misleading data, or data whose processing is expressly prohibited or has not been authorized.
2. Request proof of the authorization granted to the data controller, except where expressly exempted as a requirement for processing.
3. To be informed by the Data Controller or Data Processor, upon request, regarding the use that has been made of your personal data.
4. File complaints with the Superintendency of Industry and Commerce for alleged violations of personal data protection.
5. Revoke authorization and/or request the deletion of data when the principles, rights, and constitutional and legal guarantees are not respected in the Processing. Access your personal data that has been subject to Processing free of charge.

 7.1. The owners of the information may exercise the rights set forth in this Policy through the procedure established in section ten of this Policy.

8. COMPANY OBLIGATIONS

The following aspects must be taken into account, without these being exhaustive, since in any case and in matters not stated herein, the legal regulations in force must be applied, in particular Law 1266 of 2008" Which establishes the general provisions of habeas data," Law 1581 of 2012"Which establishes general provisions for the protection of personal data," its Regulatory Decrees, and other laws, decrees that add to, modify, or complement them.

All those required to comply with this policy must bear in mind that CONSERVAS DELCASINO SAS is obliged to comply with duties imposed by law. Therefore, they must act in such a way as to fulfill the following obligations:

1. In cases where personal data is collected, it must be limited to personal data that is relevant and appropriate for the purpose for which it is collected. 
2. The processing of information requires the prior express authorization of the owner of the information. In any case, personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent. 
3. In the specific case of sensitive data, express and explicit authorization must be obtained for each case. Sensitive data is defined by law as that which affects the privacy of the owner or whose misuse may lead to discrimination.
4. Those responsible for and in charge of processing must document the procedures for processing, storing, and deleting personal data in accordance with the applicable provisions on the matter in question, as well as the instructions issued in this regard by the Superintendency of Industry and Commerce. 
5. The data subject must be informed clearly, sufficiently, and in advance about the purpose of the information provided and, therefore, data may not be collected without clearly specifying the purpose for which it is being collected.
6. Request and retain, under the conditions set forth in this policy, a copy of the respective authorization granted by the owner. 
7. Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data, that is, to know, update, or rectify their personal data. Inform the data subject, upon request, about the use given to their personal data.  
8. Process inquiries and complaints made in accordance with the terms set forth in this policy. Observe the principles of accuracy, quality, security, and confidentiality in accordance with the terms established in this policy.
9. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access. 
10. Update the information when necessary.

9. AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA

Whenever CONSERVAS DELCASINO SAS collects personal information and data , it must obtain the prior, express, and informed consent of the owner to collect and process their personal data using automated, written, or oral technical means for this purpose, which allow proof of authorization to be retained.

This obligation does not apply to data of a public nature, the processing of information for historical, statistical, or scientific purposes in which the information is not linked to a specific person, or data related to the Civil Registry of Persons.

To obtain authorization, please follow these instructions: 

Firstly, before the person gives their authorization, they must be clearly and expressly informed of the following: 

• The processing to which your personal data will be subjected and the purpose thereof. 
• The optional nature of answering questions asked of you when they concern sensitive data or data relating to children and adolescents. 
• Your rights as the owner.
• The identification, physical or electronic address, and telephone number of CONSERVAS DELCASINO SAS.

Secondly, you will obtain the consent of the data subject through any means that can be subsequently consulted. Proof of compliance with the obligation to inform and consent must be provided. If the data subject requests a copy of these, they must be provided. Authorization may also be obtained from unequivocal conduct on the part of the data subject that allows for a reasonable conclusion that they have given their consent to the processing of their information. Such conduct must be very clear so that there is no doubt or misunderstanding about the willingness to authorize the processing and the purposes thereof. Under no circumstances may the silence of the Data Subject be considered unequivocal conduct.

9.1. AUTHORIZATION FORM FOR THE PROCESSING OF PERSONAL DATA: For the purposes indicated above, authorization for data processing will be granted through Annex 1 , "AUTHORIZATION FORM FOR THE PROCESSING OF PERSONAL DATA." This duly signed authorization must be kept in digital or physical form as proof of the authorization granted by the owners of personal data for the processing thereof. The responsibility for safekeeping the duly signed authorization shall be borne by the person and/or area delegated in section 5.1 of this Policy as responsible for the "PERSONAL DATA PROTECTION, COMPLIANCE, AND MANAGEMENT OF THIS POLICY." 

10. ATTENTION TO REQUESTS, QUERIES, AND COMPLAINTS

The purpose of requests, complaints, and claims is to correct, update, or delete data or to file a complaint for alleged breach of any of the duties contained in this Policy and the rules governing the matter.

10.1. Requests , complaints, and/or claims must be submitted in writing to CONSERVAS DELCASINO SAS, which can be done through the following means:

1. Located at the Office of the Personal Data Processing Officer, Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia; open from 8:00 a.m. to 5:00 p.m., Monday through Friday.
2. Email: lider.admon@salsasdelcasino.com
3. Phone: 316 626 5290
4. https://alimentosdelcasino.com

10.2. The request, complaint, or claim must contain the following information: 

1. Name and identification of the data owner.
2. Accurate and complete description of the facts giving rise to the request, complaint, and/or claim. 
3. Physical or electronic address to send the response and report on the status of the procedure.
4. Documents and other relevant evidence that you wish to present.

10.3. CONSERVAS DELCASINO SAS will provide a written response within ten (10) business days through the Compliance Officer.

10.4. FORM FOR SUBMITTING REQUESTS, COMPLAINTS, OR CLAIMS

For the submission of requests, complaints, and claims, CONSERVAS DELCASINO SAS provides Annex 2 , "FORM FOR THE SUBMISSION OF REQUESTS, COMPLAINTS, OR CLAIMS." This is without prejudice to the right of the person submitting the request, complaint, or claim to do so through their own means and formats.

11. SECURITY MEASURES

In accordance with the security principle established in this Policy, Law 1581 of 2012 , and other related regulations , CONSERVAS DELCASINO SAS will adopt the technical, human , and administrative measures necessary to ensure the security of records , preventing their adulteration, loss, consultation, unauthorized or fraudulent use or access. Personnel who process personal data will execute the established protocols in order to guarantee the security of the information.

12. VIDEO SURVEILLANCE

CONSERVAS DELCASINO SAS uses various video surveillance devices installed in different internal and external locations at our facilities and offices. 

CONSERVAS DELCASINO SAS informs users of the existence of these mechanisms by displaying video surveillance notices in visible locations. 

The information collected will be used for the safety of people, property, and facilities. This information may be used as evidence in any type of proceeding before any type of authority or organization.

13. TEMPORARY LIMITATIONS ON THE PROCESSING OF PERSONAL DATA

CONSERVAS DELCASINO SAS may collect, store, use, or circulate personal data for as long as is reasonable and necessary, in accordance with the purposes that justified the processing, in compliance with the applicable provisions on the matter in question and the administrative, accounting, tax, legal, and historical aspects of the information. Once the purpose or purposes of the processing have been fulfilled, and without prejudice to any legal provisions to the contrary, it shall proceed to delete the personal data in its possession. Notwithstanding the foregoing, personal data must be retained when required to comply with a legal or contractual obligation.

14. TERM OF VALIDITY OF THE DATABASES

CONSERVAS DELCASINO SAS establishes a validity period of five (5) years for databases from the date of their creation. Once this period has expired, the databases will be updated by the person and/or department responsible, as indicated in section 5.1 of this Policy.

15. INFORMATION SECURITY

CONSERVAS DELCASINO SAS establishes this Information Security Policy, which contains the technical, human, and administrative measures necessary to ensure the security of personal data , preventing its adulteration, loss, consultation, unauthorized or fraudulent use or access. 

15.1. Processing of Personal Data: For the collection, storage, and processing of personal and sensitive data, the prior, express, and informed consent of the Data Subject must exist in all cases in order to carry out the processing of personal data. This consent shall be managed and processed by the persons referred to in section 15.6 of this Policy, who are responsible for and in charge of the collection, storage, and processing of personal data through the physical and electronic document, as applicable, "AUTHORIZATION FORM FOR THE PROCESSING OF PERSONAL DATA"; which shall contain a) the purpose for which the personal data is collected, b) the rights of the data subject, c) the handling of requests, queries, and complaints, and d) the data subject's statement and/or acceptance. In the specific case of sensitive data, express and explicit authorization must be obtained for each case. Sensitive data is defined by law as that which affects the privacy of the owner or whose misuse may lead to discrimination.

15.2. Secure Automated Digital Folders: The company will create, through its IT and/or Technology department, Secure Automated Digital Folders with non-transferable Usernames and Passwords. Each folder will be named after each Database, where the information collected from each data subject will be stored, together with the respective authorization and/or consent for the processing of personal data.

15.3 Personal data security: The company, through its IT and/or Technology department, will be responsible for monitoring and ensuring the security of personal data, as well as ensuring that the information is available for consultation by those responsible and that it is not subject to loss, tampering, unauthorized or fraudulent use. Similarly, it must guarantee the security of the information and prevent information leaks when those responsible for collecting and storing the information have remote access to it. In any case, the company's IT and/or Technology department must ensure that the information in the databases is only used for input and consultation, preventing its extraction; except when such information must be used for the purposes set out in the"INFORMATION PROCESSING AND PERSONAL DATA PROCESSING POLICY," in whichcase prior written authorization from the Finance Department and/or the Compliance Officer will be required.

15.4 Data backup: The company's IT and/or Technology department must perform and guarantee at least one data backup per week in case of tampering or loss, and must also establish the necessary security mechanisms to prevent unauthorized or fraudulent use of or access to each database. 

15.5 User and Password: Each folder and/or database will be assigned a single person in charge with a user name and password, who will be directly responsible for the collection, storage, protection, and processing of personal data. They may not use or process the data in any way other than that authorized by each owner of the information, under penalty of serious breach of their work obligations and prohibitions.

15.6 Persons responsible for the collection, storage, protection, and processing of personal data: According to each database, and to whom a non-transferable username and password will be assigned by the IT and/or Technology department .

NAME AND PURPOSE OF THE DATABASE	RESPONSIBLE
SUPPLIERS	Name: Juan David Herrera Ávila Identification: 1073517567 Address: Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia Email: compras@salsasdelcasino.com Telephone: 601 487 3222
CUSTOMERS	Name: Andrés Michael García Boada. Identification: 1000120860 Address: Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia Email: cartera@salsasdelcasino.com Phone: 601 487 3222
WORKERS	Name: Nidia Carolina Gómez Arana Identification: 52951036 Address: Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia Email: recursosh@salsasdelcasino.com Telephone: 601 487 3222

Access to the databases by unauthorized personnel is expressly prohibited. Therefore, those responsible for the collection, storage, protection, and processing of personal data shall be solely responsible for the processing thereof, under penalty of applicable disciplinary sanctions. 

15.7 Appointments responsible for the collection, storage, protection, and processing of personal data: The appointment and removal of those responsible for the collection, storage, protection, and processing of personal data will be the responsibility of the Legal Representative and/or Personal Data Processing Officer, who will authorize the request for a username and password from the IT and/or Technology department . 

15.8 Confidentiality Agreement: Those responsible for databases and for the collection, storage, protection, and processing of personal data, as well as those responsible for the company's IT and/or technology area, shall sign, upon appointment, a Confidentiality Agreement in accordance with Annex 3, regarding the information to which they will have access. This agreement shall be binding and shall be kept on file in the Human Resources Department. Failure to comply with the Confidentiality Agreement will be considered a serious breach of employment obligations and prohibitions, with the appropriate disciplinary consequences.

15.9 Prior validation and proper use of information: Those responsible for the collection, storage, protection, and processing of personal data must first validate the data to be collected by requesting the necessary documentation and identification from the owners of the information, together with Annex 1 "AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA,"taking all necessary measures to ensure that the data collected is correct for subsequent storage and use. Likewise, at all times, they shall ensure the correct processing of the information in its collection, circulation, and disposal solely and exclusively for the purposes set forth in the "POLICY ON THE PROCESSING OF INFORMATION AND PERSONAL DATA."

15.9.1 Physical and secure location of the company for the storage of personal data: The company, through the Personal Data Processing Officer, will have the necessary resources and a physical location on its premises,  secure, restricted-use, and locked location where personal data collected physically by those in charge of and responsible for processing such data will be stored, ensuring that the information is accessible only by those responsible and that it is not subject to loss, tampering, unauthorized or fraudulent use.

15.9.2 Information Storage Protocol: The persons responsible for the collection, storage, protection, and processing of personal data shall follow the procedure below, under the supervision and direction of the Personal Data Processing Officer.

1. They will physically or digitally manage the prior, express, and informed consent of the owner of the information in accordance with the "FORMAT FOR AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA."

2. They will store the information physically or digitally, either in Secure Automated Digital Folders or in a secure physical location at the company, as appropriate. 

3. They will process personal data exclusively for the purposes for which the data subject has given their consent, which must be recorded as evidence of the use and processing of personal data; it being understood that without the consent of the data subject, the collection, storage, and processing of personal data is prohibited.

Once personal data has been collected, stored, and processed, and is stored digitally or physically, those responsible for collecting and processing personal data must ensure that the information is kept under lock and key if it is stored physically, or with the session closed and/or folder closed if the information is stored digitally. 

15.9.3 Prohibition on extracting information from databases: Any employee of the company or third party is expressly prohibited from extracting physical or digital information stored in databases; failure to comply will result in the corresponding disciplinary actions, understood as a serious breach of labor obligations and prohibitions, and other legal actions as applicable. The foregoing is except for the cases provided for in this Policy, for which authorization from the Legal Representative and/or the Personal Data Processing Officer will be required.

15.9.4 Final disposal of information: Once the term of validity of the databases established in the"INFORMATION PROCESSING AND PERSONAL DATA PROCESSING POLICY" has expired, the information will be destroyed, by means of a document signed by the person responsible for the information, the company's IT and/or Technology department, and the Personal Data Processing Officer.

15.9.5 Management of information security incidents: In the event of an incident involving the information stored in the databases, whether it be alteration, loss, and/or any other type of impact on the information stored therein; the person responsible for the information and/or the person who detects the incident shall immediately notify the Personal Data Processing Officer and the company's IT and/or Technology department in writing, providing detailed information about the incident and the detected issue, whereupon an investigation process shall be initiated by the Human Resources Department. Similarly, the company's IT and/or Technology department will immediately conduct an investigation and submit a detailed report to Human Resources and the Personal Data Processing Officer within three (3) days of the incident being reported, detailing the causes and conclusions. It will also immediately make the necessary adjustments to correct the incidents and vulnerabilities that have arisen, preventing them from recurring.

15.9.6 Audit: At least once every twelve (12) months, the Personal Data Processing Officer shall conduct an audit to verify compliance with the "INFORMATION PROCESSING AND PERSONAL DATA PROCESSING POLICY" and shall report the results thereof to the Legal Representative.

16. PERSON OR DEPARTMENT RESPONSIBLE FOR COMPLIANCE WITH AND IMPLEMENTATION OF THIS POLICY AND HANDLING OF REQUESTS, COMPLAINTS, OR CLAIMS

The Personal Data Processing Officer will be responsible for directing and coordinating compliance with this policy, as well as handling requests, complaints, and claims with the aim of correcting, updating, or deleting data or filing a complaint for alleged breach of any of the duties contained in this Policy and the regulations governing this matter.

ATTENTION REQUESTS, INQUIRIES, AND COMPLAINTS	RESPONSIBLE
In the event of requests, complaints, or claims for the purpose of correcting, updating, or deleting data, or filing a complaint for alleged breach of any of the duties contained in this Policy and the regulations governing the matter, these should be sent to:	Personal Data Processing Officer. Address: Avenida la Esperanza No. 96-10, Bogotá D.C., Colombia Email: lider.admon@salsasdelcasino.com Telephone: 601 487 3222 – 316 626 5290

17. LEGAL FRAMEWORK AND BIBLIOGRAPHY

This Data Processing Policy has been drawn up in accordance with the provisions of the Political Constitution of Colombia, the regulations indicated below, and any others that modify, repeal, or replace them with regard to the collection, storage, use, circulation, deletion, and all other activities that constitute the processing of personal data.

• Law 1266 of 2008 "which establishes the general provisions of habeas data and regulates the handling of information contained in personal databases, especially financial, credit, commercial, services, and information from third countries, and establishes other provisions."
• Decree 2952 of 2010 "regulating Articles 12 and 13 of Law 1266 of 2008."
• Law 1581 of 2012 "establishing general provisions for the protection of personal data."
• Decree 1377 of 2013, "which partially regulates Law 1581 of 2012." 
• Decree 886 of 2014 "regulating Article 25 of Law 1581 of 2012, relating to the national database registry."
• Decree 1074 of 2015 / Chapter 2 / partially regulates Law 1581 of 2012
• Law 2157 of 2021 "whereby the statutory law is amended and supplemented 1266 of 2008, and general provisions of habeas data are enacted in regarding financial, credit, commercial, and service information, as well as information from third countries, and other provisions are enacted."

18. FORMATS AND ANNEXES

1. Appendix 1 "AUTHORIZATION FOR THE PROCESSING OF PERSONAL DATA." 
2. Appendix 2 "FORM FOR SUBMITTING PETITIONS, COMPLAINTS, OR CLAIMS."
3. ANNEX 3 CONFIDENTIALITY AGREEMENT.

19. TERM

This Policy is published at www.alimentosdelcasino.com and will come into effect on April 1, 2025, superseding any previous policies on the same subject matter.